From Handle to Human: Unmasked “Rey” of Scattered LAPSUS$ Hunters
Scattered LAPSUS$ Hunters (SLSH) emerged as one of the most disruptive cyber-extortion crews of recent years, blending social engineering, data theft, and public shaming campaigns against major global brands. Yet the most compelling part of this story is not just what the group did, but how one researcher patiently followed a trail of digital crumbs to pierce the pseudonym “Rey” and expose the teenager behind a sprawling cybercrime ecosystem.
This post walks through that journey: from Telegram handles and breach data, to infostealer logs and family autofill entries, showing how a seemingly careful actor slowly unraveled under the weight of his own mistakes.
The Rise of Scattered LAPSUS$ Hunters
SLSH is described as an amalgamation of three well-known crews: Scattered Spider, LAPSUS$, and ShinyHunters, with members overlapping across English-language Telegram and Discord communities. In 2025, they ran high‑impact campaigns that combined voice phishing, cloud abuse, and data leak sites to pressure victims into paying.
- In May 2025, SLSH used voice phishing to trick employees into authorizing a malicious app linked to corporate Salesforce portals, then threatened to leak data from dozens of companies including Toyota, FedEx, Disney/Hulu, and UPS.
- The group openly recruited “insiders,” offering disgruntled employees a cut of ransom proceeds in exchange for internal access to their employer’s systems.
- Historically reliant on third‑party ransomware encryptors (ALPHV/BlackCat, Qilin, RansomHub, DragonForce), SLSH later announced its own ransomware‑as‑a‑service brand, ShinySp1d3r, signalling a shift toward building its own monetization stack.
Amid all this, one name kept surfacing: “Rey,” a young administrator, spokesperson, and technical operator at the heart of SLSH’s public presence.
Step 1: Linking Rey to Hikki‑Chan and @wristmug
The researcher’s first major breakthrough came from studying Rey’s historical footprint on BreachForums and related communities. Cyber intelligence reporting tied Rey to a previous alias, “Hikki‑Chan,” whose early posts advertised data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).
- Intel 471 reported that Rey authored more than 200 posts across multiple BreachForums incarnations between February 2024 and July 2025, initially under the name Hikki‑Chan.
- In a February 2024 CDC‑related post, Hikki‑Chan pointed people to a Telegram username: @wristmug.
- In May 2024, @wristmug shared a screenshot of a generic sextortion email in a Telegram group called “Pantifan,” revealing both an old password and the domain of a ProtonMail address.
Here, a classic OSINT pivot appears: the screenshot was redacted carelessly. The user hid the email’s local part but left the domain and the full, previously used password exposed, providing a unique credential to search across breach and infostealer datasets.
Step 2: From a Leaked Password to “o5tdev”
Using the unique password captured in the Telegram screenshot, the investigator pivoted into credential‑breach tracking services to see where else that string appeared. Spycloud indexed the password as being associated with exactly one email address: cybero5tdev(at)proton.me
- Spycloud data showed that this credential set had been exfiltrated multiple times in early 2024 via an infostealer trojan, which captured stored logins and authentication cookies from the infected device.
- Intelligence from KELA first surfaced the infostealer infection in March 2025, highlighting that cybero5tdev’s machine had been thoroughly compromised.
- Intel 471 linked cybero5tdev(at)proton.me to a BreachForums user named o5tdev, whose handle appeared in web defacement archives connected to pro‑Palestinian hacktivist campaigns.
Additional research into “o5tdev” led to references to the Cyb3r Drag0nz Team, a hacktivist group known for DDoS, defacements, and data leaks, including claims of leaking personal data on over a million Israeli citizens. A SentinelOne report documented this group’s activities and its pattern of publishing large .RAR archives of purported Israeli citizen data.
The investigator had now mapped a path from Rey → Hikki‑Chan → @wristmug → a unique password → cybero5tdev(at)proton.me → the handle o5tdev, tightening the circle around a single threat actor persona.
Step 3: Telegram, Heritage Clues, and the “Ginty” Breadcrumb
Another pivot came from analyzing Rey’s behavior in Telegram channels focused on cybercrime, specifically a channel called “Jacuzzi.” There, Rey not only discussed operations but casually dropped personal details that would later become crucial.
- Flashpoint data showed that Rey’s Telegram account (ID 7047194296) was active in Jacuzzi and other crime‑oriented channels, where he claimed to be 15 years old and mentioned that his father was an airline pilot.
- Rey also referenced having Irish roots, sharing a graphic showing the prevalence of the surname Ginty, and stating that he had family connections to that name.
On their own, age, nationality hints, and family occupation are weak identifiers. Combined with previously gathered technical indicators, however, they acted as soft signals that later aligned perfectly with the infostealer and autofill data.
Step 4: Infostealer Autofill Data and the Khader Family
The same infostealer logs that exposed the cybero5tdev credentials also dumped browser autofill records, effectively turning an infected machine into a snapshot of the household’s digital life. Spycloud’s indexing of that dataset illuminated where “Rey” actually lived and with whom.
- The logs indicated a shared Windows PC located in Amman, Jordan, with multiple user profiles all sharing the last name Khader.
- Autofill entries included address information tying the Khader family to a location in Amman, consistent across several users.
- One entry referred to a 46‑year‑old Zaid Khader, listing his mother’s maiden name as Ginty, neatly connecting the Irish‑heritage narrative from Telegram with concrete personal data.
- Browser history and logins showed that Zaid frequently accessed internal staff portals for Royal Jordanian Airlines, aligning with Rey’s earlier claims that his father was an airline pilot.
At this stage, the investigator could plausibly assert that “Rey” was a teenager in a Jordanian family named Khader, with an airline‑pilot father, and an Irish grandmother whose maiden name was Ginty. Each clue from chat logs had a matching record in the stolen autofill corpus, turning loose anecdotes into corroborated identity attributes.
Step 5: Naming Saif Al‑Din Khader
The infostealer data did not just reveal metadata; it exposed full names tied to the same browser and credential environment. Among those records was the name Saif Al‑Din Khader, which aligned with the age profile and behavioral patterns attributed to Rey.
After unsuccessfully trying to contact Saif directly, the journalist sent a carefully worded email to his father, Zaid, outlining concerns that his son was involved in serious cybercrime. Within hours, a response arrived—not from the father, but from Saif himself via Signal.
- Saif confirmed that his father had forwarded the email, thinking it might be a scam, prompting Saif to respond personally.
- He stated he would soon turn 16, matching the age previously claimed in Telegram chats, and acknowledged his involvement with SLSH and related operations.
- Saif claimed that ShinySp1d3r was essentially a reworked version of Hellcat ransomware, modified using AI tools, and that he had distributed the Hellcat source code.
This direct conversation effectively closed the loop: the digital fingerprints, OSINT breadcrumbs, breach data, and chat behavior all converged on a single teenager in Amman.
Step 6: Cooperation Claims and Legal Uncertainty
During the exchange, Saif asserted that he had already begun cooperating with law enforcement and wanted to leave cybercrime behind. He described reaching out to the Telegram account for Operation Endgame, a multinational law‑enforcement effort targeting cybercrime suppliers and customers.
- Saif said he had been in contact with authorities since at least June and claimed to have ceased corporate breaches and extortion since September.
- He worried that public exposure would complicate any potential plea or cooperation agreements, saying that additional “heat” could disrupt ongoing discussions with agencies allegedly coordinating across multiple countries.
- He shared a screenshot suggesting contact with Europol, though he was unable to provide verifiable details of specific case officers, and the journalist could not independently validate the depth of this cooperation.
The narrative illustrates a recurring tension in cyber investigations: the balance between public accountability and preserving opportunities for young offenders to cooperate and rehabilitate.
Lessons from the OSINT Trail
The journey to unmask Rey offers concrete lessons for defenders, investigators, and even aspiring security researchers learning from the case rather than emulating it.
- Minor operational mistakes compound over time
A single unredacted password exposed via a Telegram screenshot became the key to unlock infostealer logs, email identities, and historical forum activity, showing how one slip can cascade into full de‑anonymization. - Cross‑source correlation is powerful
The investigator never relied on one dataset alone: intelligence from commercial providers, breach and infostealer telemetry, forum archives, Telegram chatter, and OSINT reports from firms like Intel 471, SentinelOne, KELA, and Flashpoint all reinforced one another. - Personal storytelling betrays anonymity
Seemingly harmless anecdotes—Irish heritage, age, a pilot father, discussions about heritage surnames—ended up perfectly matching structured data about the Khader family and their airline employment. - Youth does not equal immunity
Even though Saif was just 15–16, he sat at the center of ransomware‑as‑a‑service operations, high‑profile extortion campaigns, and an influential breach marketplace, demonstrating that age is no barrier to impact or to legal exposure.
For organizations, this story underscores the value of monitoring for voice‑phishing, insider recruitment, and infostealer‑driven account compromise, which SLSH weaponized at scale. For researchers, it is a case study in how persistent, ethically grounded OSINT can dismantle the myth of the untouchable cybercriminal mastermind.
This article was researched and written by our team, with AI assistance used solely for copy-editing and rephrasing to improve readability.
To see our team in action, please join us for our weekly webinar every Tuesday.